Love comes around again

CA has received reports of a widespread email spamming campaign that attempts to lure users to a malicious site by masquerading as a Valentine's Day e-card.

CA has received reports of a widespread email spamming campaign that attempts to lure users to a malicious site by masquerading as a Valentine's Day e-card. If users click on the link to receive their 'card', they are transferred to a site that informs them that they need to download a flashplayer. This flashplayer (using the filename flashplayer.cab) is actually a package that contains a trojan called Win32/Hanlo.I. “This is an example of a classic social-engineering attack harkening back to the days of Love Bug (VBS.Loveletter),” said Ned Jaroudi, Area Marketing Director, CA EMEA Eastern Markets. “We appear to have come full circle to some extent as these types of ruses used to be quite commonly distributed to convince people to run malicious executables, mainly by mass-mailing worms. “With the decline of the mass-mailing worm, and as users became suspicious of these types of messages, they were no longer as successful. It now appears that the attackers assume that users have forgotten their suspicion – it remains to be seen just how successful this tactic will be. The difference between then and now, is that we are seeing more controlled attacks, using techniques from mass-mailing worms. And thanks to the prevalence of systems compromised by spam-bots, it's no longer necessary to create your own worm - malware is now being distributed in the same way as spam,” he said With the latest attack, the file flashplayer.cab contains the file install.exe. When executed, this file creates and runs the main Win32/Hanlo.I trojan executable. Hanlo.I then creates a driver that hides the trojan's presence on an affected machine. The trojan executes at subsequent system startups by registering itself as a service named 'AVSearch service'. However, as the device driver component of the trojan is used to hide the main executable, this will not be visible to affected users. In order to continue the farce and mask its installation, the trojan also opens a web page that appears to be a Valentine's Day e-card. This is a fake site designed to mimic the real 'original cards' site. As a payload, the trojan downloads and executes arbitrary files on the affected machine leaving the user vulnerable to further system compromise.